AppSec noise and fatigue by the numbers

Relying on traditional application security testing (AST) solutions like Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) too frequently leads to headaches and insecure web applications. 

Applications are increasingly being targeted

• The number of data breaches caused by an exploited vulnerability rose 180% year-over-year.¹
• 50% increase in zero days being exploited year-over-year.²
• Less than 6% of applications have no flaws.³

Application vulnerabilities are not being adequately addressed

• 55 days after a third-party library vulnerability fix is released, half of applications continue using the unfixed version.⁴
• 48% of third-party flaws and 41% of first-party flaws are not remediated within 12 months.⁵

Legacy AppSec solutions have high false-positive rates

• For some tools and some languages, SAST’s false-positive rate is over 68%. ⁶
• NIST has found that SAST’s false-positive rate is as high as 78% for Java.⁷
• Per the OWASP Benchmark, DAST tools have a false-positive rate of 82%.⁸
• A high false-positive rate slows down remediation efforts, as dealing with 240 issues requires a full week’s worth of effort.⁹

Why are false positives so damaging?

• Wasted time and remediation effort
• Erodes trust in tooling, and can damage trust between security and developers

SAST and DAST take too long

• DAST tools may need up to 4 hours to scan some critical applications.10
• Mean time to  remediation (MTTR) for some leading AST solutions is 298 days.¹¹
• 41% of first-party flaws are
  not remediated within 12 months.¹²

The difference that Interactive Application Security Testing (IAST) brings

• Up to 3x faster remediation times¹¹
• 156% reduction in false positives.¹²
• 155% faster MTTR compared to leading AST solutions.¹³

Business benefits of IAST

Contrast Security is the single best solution for optimizing for efficacy with a 100% true positive rate, per OWASP Benchmark.¹⁵

¹ https://www.verizon.com/business/resources/reports/dbir/
² https://cloud.google.com/blog/topics/threat-intelligence/2023-zero-day-trends
³ https://www.veracode.com/sites/default/files/2024-02/SOSS-Re-
port-2024.pdf?mkt_tok=NzkwLVpLVy0yOTEAAAGSbg3DHS_qVqteuMfnVaofr6H8E7jv5dTpjin5zH1f37SmyDfz1e3SvRkWaOr2w2fWRTVO7DlMUwjSYVQXljqj8jaY4uSr-h4M Uil2q1g1CNMJ3XY
⁴ Verizon DBIR
⁵ 2024 Veracode State of Software Security Report
⁶ https://personal.utdallas.edu/~lxz144130/publications/icst2016.pdf
⁷ https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-326.pdf
⁸ https://owasp.org/www-project-benchmark/
⁹ https://www.securitycompass.com/blog/safeguarding-software-quality-tackling-false-negatives-with-security-by-design/
¹⁰ https://docs.veracode.com/r/getting-started-with-crashtest-security
¹¹ https://info.veracode.com/report-state-of-software-security-volume-12.html
¹²2024 Veracode State of Software Security Report
¹³ https://www.contrastsecurity.com/customer-success/unit-4
¹⁴ IBID
¹⁵ Contrast Security internal data,   https://info.veracode.com/report-state-of-software-security-volume-12.html
¹⁶ Results from one Fortune 100 Insurance Company from 2022
¹⁷ https://owasp.org/www-project-benchmark/